You followed the port-forwarding guide to the letter. You logged into your router, found the right page, forwarded port 25565 to your PC's local IP, even disabled Windows Firewall to rule it out. The server starts fine. You can connect to localhost. But when your friend types in your public IP, nothing happens.
The connection times out. Every time.
The problem isn't your router. It isn't Windows Firewall. It isn't Minecraft. The problem is your ISP — and a networking trick called CGNAT that they probably never told you about.
What CGNAT Is (and Why Your ISP Uses It)
Every device on the internet needs an IP address to send and receive data. For decades, we've used IPv4 addresses — the familiar 192.168.1.1 or 74.125.224.72 format. The problem is that IPv4 only supports about 4.3 billion addresses, and we ran out of new ones years ago.
ISPs have a few options: migrate everyone to IPv6 (expensive and slow), buy IPv4 addresses on the secondary market (increasingly expensive), or share a single public IPv4 address among multiple customers.
Most chose option three.
CGNAT stands for Carrier-Grade Network Address Translation. It's the same concept as your home router's NAT, but one level higher. Your router gives your devices private IPs (like 192.168.1.x) and translates them to one public IP. With CGNAT, your ISP gives your router a private IP and translates that to a shared public IP — along with dozens or hundreds of other customers.
The result: the IP address you see at whatismyip.com isn't actually assigned to you. It's assigned to your ISP's CGNAT device, which routes traffic to you based on port numbers. When your friend tries to connect to your Minecraft server, that connection hits the ISP's CGNAT box — which has no idea that port 25565 should go to your router. The connection dies before it reaches your network.
Port forwarding in your router still "works" in the sense that it forwards traffic from your router's WAN port to your PC. But traffic never arrives at your router's WAN port, because CGNAT blocks it upstream.
How to Check If You're Behind CGNAT
You don't need special tools. Just compare two IP addresses.
Step 1: Find Your Router's WAN IP
Log into your router's admin page (usually 192.168.1.1 or 192.168.0.1) and look for the WAN or Internet status page. You'll see an IP address listed — this is the address your ISP assigned to your router.
On some routers, you can also open a terminal and run:
# Windows
ipconfig /all
# Look for the "Default Gateway" and then check your router's status page
# Linux / macOS
ip route | grep default
# Then check router admin or use a router-side command
Step 2: Find Your Public IP
Visit whatismyip.com or run:
curl ifconfig.me
Step 3: Compare
| Router's WAN IP | whatismyip.com | Result |
|---|---|---|
| 203.0.113.47 | 203.0.113.47 | No CGNAT — you have a public IP |
| 100.64.12.34 | 203.0.113.47 | CGNAT — your router's IP is private |
| 10.x.x.x | Different | CGNAT — RFC 1918 space behind NAT |
| 172.16-31.x.x | Different | CGNAT — RFC 1918 space behind NAT |
The giveaway is the 100.64.x.x range. This is "Shared Address Space" (RFC 6598), specifically reserved for CGNAT. If your router's WAN IP starts with 100.64 through 100.127, you're behind CGNAT. The 10.x.x.x and 172.16-31.x.x ranges are also private and indicate NAT (though not always carrier-grade).
Alternative: Traceroute Signatures
Run a traceroute to any public server:
# Windows
tracert 8.8.8.8
# Linux / macOS
traceroute 8.8.8.8
If the first hop after your router shows a 100.64.x.x address or multiple hops before reaching a public IP, that's CGNAT infrastructure. A direct connection without CGNAT typically shows your public IP within the first two hops.
Option 1: Tunneling Services (playit.gg, ngrok, localtunnel)
Tunneling services work around CGNAT by routing traffic through their servers. Your Minecraft server connects outbound to the tunnel provider (outbound connections work fine behind CGNAT), and the provider assigns you a public address that forwards traffic back through that connection.
How They Work
- You run a small client program on your PC (or the same machine as the server).
- The client establishes an outbound connection to the tunnel provider's server.
- The provider gives you a public hostname and port (e.g.,
abc123.playit.gg:12345). - Players connect to that address; traffic flows through the tunnel to your server.
Popular Options
| Service | Protocol | Free Tier | Notes |
|---|---|---|---|
| playit.gg | TCP/UDP | Yes | Built for game servers, Minecraft-friendly |
| ngrok | TCP | Limited | Originally for web dev, works for Minecraft |
| Cloudflare Tunnel | TCP (via Spectrum) | Spectrum requires paid plan | Enterprise-grade, overkill for hobby use |
| localtunnel | HTTP only | Yes | Won't work for Minecraft (no raw TCP) |
Tradeoffs
Latency: Every packet now takes a detour through the tunnel provider's server. If that server is in Virginia and your players are in Berlin, they're adding cross-Atlantic latency to every block break. The overhead varies — playit.gg has decent coverage, but you're at the mercy of their infrastructure.
Reliability: Free tiers can be rate-limited, throttled, or occasionally unavailable. Your server's uptime now depends on a third party.
Security: The tunnel client runs on your network and establishes an outbound connection to a third party. Reputable providers like playit.gg are fine for hobby use, but you're trusting their infrastructure. If security is critical, understand that the tunnel provider can technically see your traffic. As one r/admincraft poster recently asked: "Am I secure?" The short answer is probably, for a small friends server — but it's a reasonable question to ask.
Port Numbers: You usually can't pick your port. Players connect to whatever the service assigns, which might be play.your-domain.gg:54321 instead of the standard :25565. Minor inconvenience, but worth noting.
If you want to host on your own hardware and CGNAT is your only obstacle, tunneling services are a legitimate workaround. They're free, they work, and for a small server with friends, the tradeoffs are tolerable.
Option 2: Request a Public IP from Your ISP
Sometimes you can just ask.
Residential Plans
Many ISPs will assign you a dedicated public IPv4 address if you call support and ask. Some charge a small monthly fee (often in the range of a few euros or dollars); others do it for free but don't advertise it.
The success rate varies wildly:
- Large cable ISPs: Often possible, sometimes requires a "static IP add-on" for a fee.
- Fiber ISPs: Increasingly using CGNAT by default, but may offer public IPs on request.
- Mobile/LTE ISPs: Almost never. These are the most aggressive about CGNAT.
- Small regional ISPs: Worth asking — policies vary.
Script for the call: "I run a small game server for personal use and need to accept inbound connections. Can I be assigned a dedicated public IPv4 address instead of a shared CGNAT address?"
If they say yes, ask whether it's static or dynamic. A static IP never changes; a dynamic IP is still public but may rotate occasionally (which breaks your server address unless you set up dynamic DNS). Both work for Minecraft; static is more convenient.
Business Plans
If your residential ISP won't budge, check if they offer business-class internet at your address. Business plans typically include a static public IP by default — CGNAT defeats the point of business connectivity.
The downside: business plans cost more, often significantly. But if you're serious about self-hosting multiple services, it might make sense.
What If They Say No?
If your ISP flat-out refuses to provide a public IP, your remaining options are tunneling services (above) or moving your server off your home network entirely.
Option 3: Managed Hosting or a VPS
The cleanest solution is to stop fighting your home network and run the server somewhere that was designed for it.
VPS (Virtual Private Server)
You rent a small Linux server in a datacenter. It has a public IPv4 address by default — no CGNAT, no port forwarding, no ISP negotiations.
Running Minecraft on a VPS requires some Linux knowledge: SSH, systemd, firewall rules, file transfers. If you're comfortable with a terminal, it's straightforward. If you're not, there's a learning curve.
The monthly cost depends on specs. A basic VPS with 4 GB RAM (enough for a small vanilla server) runs roughly the same as a cup of coffee per week. Providers like Hetzner, OVH, and Linode are popular in the Minecraft community.
Managed Minecraft Hosting
Managed hosts give you a control panel instead of a Linux shell. You get a public IP or hostname, a web interface for the console, file management, and usually one-click setup for server software.
On Swelis, every service gets a stable public IPv4 — no CGNAT, no port forwarding configuration on your end. You pick your RAM and CPU allocation, choose your server software (Paper, Purpur, Fabric, Forge, or vanilla), and the server is online in about two minutes. The control panel handles the console, file uploads, backups, and version changes.
The tradeoff is that your server runs on someone else's hardware, not yours. For most people hosting a community server, that's the point — you don't want to be the one woken up at 3am because your PC rebooted.
Comparing Your Options
| Option | Works Behind CGNAT? | Latency Added | Monthly Cost | Setup Effort |
|---|---|---|---|---|
| Port forwarding | No | None | Free | Low |
| Tunneling (playit.gg, ngrok) | Yes | Variable (depends on tunnel location) | Free (or low) | Low |
| Request public IP from ISP | Removes CGNAT | None | Free to moderate | Phone call |
| VPS | Yes (public IP) | Depends on datacenter location | Low-moderate | Medium (Linux skills) |
| Managed hosting | Yes (public IP) | Depends on host location | Moderate | Very low |
Frequently Asked Questions
Can I use IPv6 instead?
Technically, yes — IPv6 doesn't have address exhaustion, so there's no need for CGNAT. If your ISP supports IPv6 and you enable it on your server, players with IPv6 connectivity can connect directly.
The catch: not everyone has IPv6 yet. If even one friend is on an IPv4-only connection, they can't reach your server. You'd need to run both (dual-stack) or use a tunnel for the IPv4 side. It's an option, but not a universal fix in 2026.
Why didn't my ISP tell me about CGNAT?
Because it doesn't affect most users. Streaming Netflix, browsing the web, playing online games as a client — all of that works fine behind CGNAT. Inbound connections are the exception, and most residential customers never need them.
ISPs don't advertise CGNAT because explaining it creates support tickets. It's easier to quietly share IPs and let the tiny fraction of affected users figure it out.
Is playit.gg safe?
For a small private server, yes. playit.gg is widely used in the Minecraft community, specifically designed for game server traffic, and doesn't require exposing your home IP to players. You're trusting their infrastructure to be reliable and not inspect your traffic, but that's no different from trusting any cloud provider.
If you're running a larger server with player data or donations involved, a dedicated IP (via hosting or ISP) removes a third-party dependency and gives you more control.
Will a VPN fix this?
A standard VPN (like NordVPN or Mullvad) won't help — it gives you outbound privacy, not inbound reachability. Your Minecraft server still can't accept connections through a consumer VPN.
Some VPN providers offer port-forwarding features (Mullvad used to, briefly), but these are rare and often restricted. A dedicated tunnel service or proper hosting is more reliable.
Quick Reference
| Question | Answer |
|---|---|
| What is CGNAT? | ISP-level NAT that shares one public IP among many customers, blocking inbound connections. |
| How do I check? | Compare your router's WAN IP to whatismyip.com. If they differ (especially 100.64.x.x), you're behind CGNAT. |
| Does port forwarding still work? | No — the port never reaches your router because CGNAT drops it upstream. |
| Can I ask my ISP for a public IP? | Often yes, sometimes with a small fee. Call and ask. |
| What's the easiest workaround? | Tunneling services like playit.gg — free, low setup, works behind CGNAT. |
| What's the cleanest solution? | Host your server somewhere with a dedicated public IP (VPS or managed hosting). |
Related Guides
- How to Port Forward a Minecraft Server — The full walkthrough for when you do have a public IP.
- Minecraft Server Hosting 101 — Everything beginners need to know about server hosting options.
- Free vs Paid Minecraft Hosting — When free hosting makes sense, and when to pay.
- How to Secure Your Minecraft Server — Beyond whitelisting: IP hiding, anti-grief, and secure configs.
- A Complete Tour of the Swelis Control Panel — What you can do from the dashboard once your server is running.
- How to Add a Custom Domain to Your Minecraft Server — Turn your IP into
play.yourserver.com.